@agentutility/mcp-prooflayer 0.2.1 → 0.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -50,21 +50,21 @@ USDC on Base contract: `0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913`
50
50
 
51
51
  | Tool | Description |
52
52
  |---|---|
53
- | `ai-content-detector` | (0.03 USDC/call) AI content detector / GPT detector / ChatGPT plagiarism checker. Calibrated probability (0-1), verdict, suspicious phrases, per-axis style signals (em-dash overuse, hedge phrases, formulaic transitions). |
54
- | `app-store-rejection-explain` | (0.02 USDC/call) App Store rejection explainer / Google Play rejection triage / mobile app review policy checklist. Parses rejection text and app metadata, identifies likely policy areas, extracts deadlines, and returns a policy-clean resubmission checklist plus reviewer-note outline. Does not promise approval or recommend platform-policy evasion. |
55
- | `brand-clearance` | (0.25 USDC/call) Brand clearance aggregator / name screening / product-name vetting / startup-brand pre-flight. Given a candidate brand name, returns a single composite clearance signal an agent can act on. Calls four checks in parallel (in-process, no x402 self-billing): USPTO TM name search, domain availability across requested TLDs (default .com .ai .dev .io .co), Wikipedia presence, Hacker News mention scan. Returns risk_level (clear|soft|moderate|hard), risk_score 0-100, sub-scores per signal, the raw hits, and a one-line recommendation. Designed for AI agents self-screening project / product / startup names before committing. Screening tool only not legal advice. |
56
- | `cve` | (0.005 USDC/call) CVE lookup / vulnerability lookup / NVD record / CVSS scorer / vuln advisory fetch / exploit-known check / CWE class / patch-priority triage / Log4Shell-style record. Short alias of cve-lookup. Returns NIST NVD record with CVSS v3.1 + v2 vectors, severity, CWE, affected CPE list, references, public-exploit indicator with reference URLs, and a bounded exploitability summary. Federal public data. |
57
- | `cve-lookup` | (0.005 USDC/call) CVE lookup / vulnerability database / NVD record fetcher / CVSS scorer / Log4Shell-style advisory inspector / known-exploit checker / CISA KEV adjacent / patch-priority triage / CWE classifier. Pulls the canonical NIST NVD record for a CVE-YYYY-NNNNN identifier and returns description, CVSS v3.1 and v2 vectors plus numeric scores, severity bucket, CWE class, affected CPE list, NVD references, and a public-exploit-known boolean with reference URLs. Includes a bounded plain-English exploitability summary. Federal public data. |
58
- | `db-migration-risk` | (0.02 USDC/call) DB migration risk audit / SQL migration safety check / DROP COLUMN detector / unsafe ALTER TABLE detector / Postgres CREATE INDEX CONCURRENTLY check / Alembic op.drop_* detector / TRUNCATE/DELETE WHERE detector / foreign key NOT VALID check / pre-deploy DB gate. Walks `migrations/`, `prisma/migrations/`, `db/migrate/`, `supabase/migrations/`, `alembic/versions/` and flags destructive DDL, lock-heavy ALTER TABLE, NOT NULL without DEFAULT, plain CREATE INDEX (vs CONCURRENTLY), unbounded TRUNCATE/DELETE, and FK validation without NOT VALID. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ]} for private / agent-workspace use. |
59
- | `dep-risk-summary` | (0.03 USDC/call) repo dependency risk audit / package.json + lockfile vetter / unpinned dep detector / transitive dep counter / requirements.txt audit / pyproject dep risk / repo-level supply-chain risk score / Snyk-adjacent / deprecated dep detector / install-script dep detector. Best-effort scan of package.json, pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock (JS); requirements.txt, pyproject.toml, poetry.lock (Python); go.mod, go.sum (Go). Samples 10 alphabetically-first direct deps via npm/PyPI registry for deprecation + install-script signals. Returns 0-100 score, per-finding kind/severity/path/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ]}. |
60
- | `deploy-config-risk` | (0.02 USDC/call) deploy config audit / Dockerfile lint / vercel.json hardening / wrangler.toml review / docker-compose.yml safety / fly.toml secrets check / netlify deploy gate / open CORS detector / exposed admin port detector / plaintext secret in env detector / production-readiness deploy gate. Fetches deploy config files (Dockerfile, wrangler.toml, vercel.json, netlify.toml, fly.toml, docker-compose.yml, serverless.yml) and flags open CORS with credentials, exposed admin ports (22/5432/6379/etc), plaintext secrets in inline env, dev/debug mode left enabled, missing healthchecks. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ]} for private / agent-workspace use. |
53
+ | `ai-content-detector` | (0.03 USDC/call) Detect AI-generated writing with a calibrated probability score. Returns a 0-1 likelihood, a verdict, suspicious phrases, and per-axis style signals (em-dash overuse, hedge phrases, formulaic transitions). Works as an AI content detector, GPT detector, or ChatGPT-text checker. |
54
+ | `app-store-rejection-explain` | (0.02 USDC/call) Explains App Store and Google Play rejections and turns them into a resubmission plan. Parses rejection text and app metadata, identifies likely policy areas, extracts deadlines, and returns a policy-clean resubmission checklist plus reviewer-note outline. Does not promise approval or recommend platform-policy evasion. Use it for Google Play rejection triage or as a mobile app review policy checklist. |
55
+ | `brand-clearance` | (0.25 USDC/call) Screens a candidate brand name across trademark, domain, and web-presence checks in a single composite signal. Runs four checks in parallel (in-process, no x402 self-billing): USPTO TM name search, domain availability across requested TLDs (default .com .ai .dev .io .co), Wikipedia presence, and a Hacker News mention scan. Returns risk_level (clear|soft|moderate|hard), risk_score 0-100, sub-scores per signal, the raw hits, and a one-line recommendation. Designed for AI agents self-screening project, product, or startup names before committing. Screening tool only, not legal advice. Use it as a brand clearance aggregator, name screening tool, product-name vetting step, or startup-brand pre-flight. |
56
+ | `cve` | (0.005 USDC/call) Looks up a CVE and returns the full NIST NVD vulnerability record. Short alias of cve-lookup: CVSS v3.1 + v2 vectors, severity, CWE class, affected CPE list, references, public-exploit indicator with reference URLs, and a bounded exploitability summary. Federal public data. Use it as a vulnerability lookup, NVD record fetch, CVSS scorer, vuln advisory fetch, exploit-known check, or patch-priority triage for Log4Shell-style records. |
57
+ | `cve-lookup` | (0.005 USDC/call) Looks up a CVE and returns its canonical NIST NVD record: description, CVSS v3.1 and v2 vectors plus numeric scores, severity bucket, CWE class, affected CPE list, NVD references, and a public-exploit-known boolean with reference URLs. Takes a CVE-YYYY-NNNNN identifier and includes a bounded plain-English exploitability summary. Federal public data. Use it as a vulnerability database, NVD record fetcher, CVSS scorer, Log4Shell-style advisory inspector, known-exploit checker, CISA KEV adjacent tool, patch-priority triage aid, or CWE classifier. |
58
+ | `db-migration-risk` | (0.02 USDC/call) Audits database migrations for risky SQL before deploy. Walks migrations/, prisma/migrations/, db/migrate/, supabase/migrations/, and alembic/versions/ and flags destructive DDL, lock-heavy ALTER TABLE, NOT NULL without DEFAULT, plain CREATE INDEX (vs CONCURRENTLY), unbounded TRUNCATE/DELETE, and FK validation without NOT VALID. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a SQL migration safety check, DROP COLUMN detector, unsafe ALTER TABLE detector, Postgres CREATE INDEX CONCURRENTLY check, Alembic op.drop_* detector, TRUNCATE/DELETE WHERE detector, foreign key NOT VALID check, or pre-deploy DB gate. |
59
+ | `dep-risk-summary` | (0.03 USDC/call) Scores dependency risk for a whole repo from its manifests and lockfiles. Best-effort scan of package.json, pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock (JS); requirements.txt, pyproject.toml, poetry.lock (Python); go.mod, go.sum (Go). Samples 10 alphabetically-first direct deps via npm/PyPI registry for deprecation + install-script signals. Returns 0-100 score, per-finding kind/severity/path/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ...]}. Use it as a package.json + lockfile vetter, unpinned dep detector, transitive dep counter, requirements.txt audit, pyproject dep risk check, deprecated dep detector, install-script dep detector, or Snyk-adjacent repo-level supply-chain risk score. |
60
+ | `deploy-config-risk` | (0.02 USDC/call) Audits deploy configuration files for production risks. Fetches Dockerfile, wrangler.toml, vercel.json, netlify.toml, fly.toml, docker-compose.yml, and serverless.yml and flags open CORS with credentials, exposed admin ports (22/5432/6379/etc), plaintext secrets in inline env, dev/debug mode left enabled, and missing healthchecks. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a Dockerfile lint, vercel.json hardening pass, wrangler.toml review, docker-compose.yml safety check, fly.toml secrets check, netlify deploy gate, open CORS detector, exposed admin port detector, plaintext-secret-in-env detector, or production-readiness deploy gate. |
61
61
  | `github-repo-health` | (0.03 USDC/call) GitHub repo health score / open-source maintainability checker. 0-100 score + grade (abandoned/stale/okay/healthy/thriving). Commit activity, contributors, license, CI, tests. Plus LLM verdict. |
62
- | `package-risk-npm` | (0.03 USDC/call) npm package risk score / npm supply-chain scanner / typosquat detector / postinstall-script flagger / npm install pre-flight audit / package.json + pnpm-lock.yaml vetter / Snyk-adjacent / Socket.dev-adjacent / pre-install safety gate. Pulls registry metadata + download stats for an npm package (and optional version), checks maintainer count, weekly downloads, install / postinstall script hooks, dependency tree depth, deprecation flag, package age, last-publish recency, and edit-distance to popular package names (typosquat). Returns a 0-10 score, risk_level bucket, contributing factors, typosquat candidate list, and a Venice plain-English summary. |
63
- | `production-readiness-score` | (0.10 USDC/call) production readiness score / AI app deploy gate / Prooflayer cluster aggregator / repo prod-risk composite / one-call audit / unified production readiness API / vibe-coded app safety scan. Calls all 5 Prooflayer component scanners (secrets-exposure-check, deploy-config-risk, db-migration-risk, dep-risk-summary, prompt-injection-surface) in parallel in-process and rolls findings into a weighted composite score (default weights: secrets 0.30, migrations 0.20, deps 0.20, deploy 0.15, prompt 0.15). Returns composite 0-100, production_grade (production-ready | needs-review | risky | do-not-ship), per-component sub-scores, top-N deduped findings sorted by severity + score_contribution, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ]}. Optional 'weights' override (each in [0,0.5], proportionally normalized) and 'max_findings' (default 10, cap 50). |
64
- | `prompt-injection-surface` | (0.03 USDC/call) AI prompt injection surface scanner / LLM call-site audit / unsanitized user input in prompts detector / system-message mixing flag / unbounded completion detector / AI app safety scan / pre-deploy AI risk gate. Walks .ts/.tsx/.js/.jsx/.py/.mjs/.cjs source files, locates LLM SDK call sites (anthropic, openai, @ai-sdk/*, google generative), and flags user input flowing into prompts without sanitization, calls without max_tokens caps, system/user prompt mixing, and LLM output used unvalidated in fetch/exec/eval. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} (tree-walk, capped 500 files) or {files: [{path, content}, ]}. |
65
- | `pypi-package-risk` | (0.01 USDC/call) PyPI package risk score / Python supply-chain scanner / pip dependency vetter / typosquat detector / pre-install audit / Python-package safety check / pyproject.toml / requirements.txt vetter / poetry + uv pre-install gate. Pulls metadata + release history from pypi.org for a package (and optional version), evaluates age, recent download volume, maintainer count, post-install hook presence, dependency depth, deprecation flags, last-update recency, and string-distance to popular packages (typosquat). Returns a numeric score (0-10), risk_level bucket, contributing factor list, and a Venice-LLM plain-English risk summary. |
66
- | `secrets-exposure-check` | (0.02 USDC/call) secrets exposure scan / hardcoded API key detector / .env-committed-key audit / Next.js client env leak detector / pre-deploy secret gate. Fetches top-level config files (.env*, wrangler.toml, vercel.json, next.config.*, package.json, etc.) and scans for hardcoded AWS/OpenAI/Anthropic/Stripe/GitHub keys, private keys, DB URLs with passwords, JWT secrets, weak values in .env.example, and server-only env vars accidentally exposed via NEXT_PUBLIC_. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ]} for private / agent-workspace use. |
67
- | `vendor-questionnaire-draft` | (0.08 USDC/call) Vendor security questionnaire draft API / security questionnaire answerer / SOC 2 evidence answer helper / vendor due diligence response builder. Takes questionnaire text plus supplied evidence snippets and drafts only evidence-supported answers. Unsupported questions are marked needs_evidence instead of invented. Useful for founders and agents answering customer security reviews without leaking private repo data or making unsupported compliance claims. |
62
+ | `package-risk-npm` | (0.03 USDC/call) Scores supply-chain risk for an npm package before you install it. Pulls registry metadata + download stats for the package (and optional version) and checks maintainer count, weekly downloads, install / postinstall script hooks, dependency tree depth, deprecation flag, package age, last-publish recency, and edit-distance to popular package names (typosquat). Returns a 0-10 score, risk_level bucket, contributing factors, typosquat candidate list, and a Venice plain-English summary. Use it as an npm supply-chain scanner, typosquat detector, postinstall-script flagger, npm install pre-flight audit, package.json + pnpm-lock.yaml vetter, or Snyk-adjacent / Socket.dev-adjacent pre-install safety gate. |
63
+ | `production-readiness-score` | (0.10 USDC/call) Scores production readiness for a repo in one call, aggregating the Prooflayer cluster. Calls all 5 component scanners (secrets-exposure-check, deploy-config-risk, db-migration-risk, dep-risk-summary, prompt-injection-surface) in parallel in-process and rolls findings into a weighted composite score (default weights: secrets 0.30, migrations 0.20, deps 0.20, deploy 0.15, prompt 0.15). Returns composite 0-100, production_grade (production-ready | needs-review | risky | do-not-ship), per-component sub-scores, top-N deduped findings sorted by severity + score_contribution, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ...]}. Optional 'weights' override (each in [0,0.5], proportionally normalized) and 'max_findings' (default 10, cap 50). Use it as an AI app deploy gate, repo prod-risk composite, one-call audit, unified production readiness API, or vibe-coded app safety scan. |
64
+ | `prompt-injection-surface` | (0.03 USDC/call) Scans AI app source code for prompt injection risk at LLM call sites. Walks .ts/.tsx/.js/.jsx/.py/.mjs/.cjs source files, locates LLM SDK call sites (anthropic, openai, @ai-sdk/*, google generative), and flags user input flowing into prompts without sanitization, calls without max_tokens caps, system/user prompt mixing, and LLM output used unvalidated in fetch/exec/eval. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} (tree-walk, capped 500 files) or {files: [{path, content}, ...]}. Use it as an LLM call-site audit, unsanitized-user-input-in-prompts detector, system-message mixing flag, unbounded completion detector, AI app safety scan, or pre-deploy AI risk gate. |
65
+ | `pypi-package-risk` | (0.01 USDC/call) Scores the supply-chain risk of a PyPI package before you install it. Pulls metadata + release history from pypi.org for a package (and optional version), evaluating age, recent download volume, maintainer count, post-install hook presence, dependency depth, deprecation flags, last-update recency, and string-distance to popular packages (typosquat). Returns a numeric score (0-10), risk_level bucket, contributing factor list, and an AI-written plain-English risk summary from Venice. Use it as a Python supply-chain scanner, pip dependency vetter, typosquat detector, pre-install audit, Python-package safety check, pyproject.toml / requirements.txt vetter, or poetry + uv pre-install gate. |
66
+ | `secrets-exposure-check` | (0.02 USDC/call) Scans project config files for hardcoded secrets before you deploy. Fetches top-level config files (.env*, wrangler.toml, vercel.json, next.config.*, package.json, etc.) and scans for hardcoded AWS/OpenAI/Anthropic/Stripe/GitHub keys, private keys, DB URLs with passwords, JWT secrets, weak values in .env.example, and server-only env vars accidentally exposed via NEXT_PUBLIC_. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a secrets exposure scan, hardcoded API key detector, .env-committed-key audit, Next.js client env leak detector, or pre-deploy secret gate. |
67
+ | `vendor-questionnaire-draft` | (0.08 USDC/call) Drafts vendor security questionnaire answers from evidence you supply. Takes questionnaire text plus evidence snippets and drafts only evidence-supported answers; unsupported questions are marked needs_evidence instead of invented. Useful for founders and agents answering customer security reviews without leaking private repo data or making unsupported compliance claims. Use it as a security questionnaire answerer, SOC 2 evidence answer helper, or vendor due diligence response builder. |
68
68
 
69
69
  ## How it works
70
70
 
@@ -85,4 +85,4 @@ The agent never sees the payment flow — it just gets the result.
85
85
 
86
86
  ---
87
87
 
88
- **Version:** 0.2.1 · **License:** MIT
88
+ **Version:** 0.2.3 · **License:** MIT
@@ -1,11 +1,11 @@
1
1
  /** Auto-generated by scripts/generate-mcp-clusters.mjs. Do not edit by hand. */
2
2
  export const CLUSTER_SLUG = "prooflayer";
3
- export const VERSION = "0.2.1";
3
+ export const VERSION = "0.2.3";
4
4
  export const TOOLS = [
5
5
  {
6
6
  "name": "ai-content-detector",
7
7
  "http_name": "ai-content-detector",
8
- "description": "(0.03 USDC/call) AI content detector / GPT detector / ChatGPT plagiarism checker. Calibrated probability (0-1), verdict, suspicious phrases, per-axis style signals (em-dash overuse, hedge phrases, formulaic transitions).",
8
+ "description": "(0.03 USDC/call) Detect AI-generated writing with a calibrated probability score. Returns a 0-1 likelihood, a verdict, suspicious phrases, and per-axis style signals (em-dash overuse, hedge phrases, formulaic transitions). Works as an AI content detector, GPT detector, or ChatGPT-text checker.",
9
9
  "method": "POST",
10
10
  "input_schema": {
11
11
  "type": "object",
@@ -22,7 +22,7 @@ export const TOOLS = [
22
22
  {
23
23
  "name": "app-store-rejection-explain",
24
24
  "http_name": "app-store-rejection-explain",
25
- "description": "(0.02 USDC/call) App Store rejection explainer / Google Play rejection triage / mobile app review policy checklist. Parses rejection text and app metadata, identifies likely policy areas, extracts deadlines, and returns a policy-clean resubmission checklist plus reviewer-note outline. Does not promise approval or recommend platform-policy evasion.",
25
+ "description": "(0.02 USDC/call) Explains App Store and Google Play rejections and turns them into a resubmission plan. Parses rejection text and app metadata, identifies likely policy areas, extracts deadlines, and returns a policy-clean resubmission checklist plus reviewer-note outline. Does not promise approval or recommend platform-policy evasion. Use it for Google Play rejection triage or as a mobile app review policy checklist.",
26
26
  "method": "POST",
27
27
  "input_schema": {
28
28
  "type": "object",
@@ -52,7 +52,7 @@ export const TOOLS = [
52
52
  {
53
53
  "name": "brand-clearance",
54
54
  "http_name": "brand-clearance",
55
- "description": "(0.25 USDC/call) Brand clearance aggregator / name screening / product-name vetting / startup-brand pre-flight. Given a candidate brand name, returns a single composite clearance signal an agent can act on. Calls four checks in parallel (in-process, no x402 self-billing): USPTO TM name search, domain availability across requested TLDs (default .com .ai .dev .io .co), Wikipedia presence, Hacker News mention scan. Returns risk_level (clear|soft|moderate|hard), risk_score 0-100, sub-scores per signal, the raw hits, and a one-line recommendation. Designed for AI agents self-screening project / product / startup names before committing. Screening tool only not legal advice.",
55
+ "description": "(0.25 USDC/call) Screens a candidate brand name across trademark, domain, and web-presence checks in a single composite signal. Runs four checks in parallel (in-process, no x402 self-billing): USPTO TM name search, domain availability across requested TLDs (default .com .ai .dev .io .co), Wikipedia presence, and a Hacker News mention scan. Returns risk_level (clear|soft|moderate|hard), risk_score 0-100, sub-scores per signal, the raw hits, and a one-line recommendation. Designed for AI agents self-screening project, product, or startup names before committing. Screening tool only, not legal advice. Use it as a brand clearance aggregator, name screening tool, product-name vetting step, or startup-brand pre-flight.",
56
56
  "method": "POST",
57
57
  "input_schema": {
58
58
  "type": "object",
@@ -78,7 +78,7 @@ export const TOOLS = [
78
78
  {
79
79
  "name": "cve",
80
80
  "http_name": "cve",
81
- "description": "(0.005 USDC/call) CVE lookup / vulnerability lookup / NVD record / CVSS scorer / vuln advisory fetch / exploit-known check / CWE class / patch-priority triage / Log4Shell-style record. Short alias of cve-lookup. Returns NIST NVD record with CVSS v3.1 + v2 vectors, severity, CWE, affected CPE list, references, public-exploit indicator with reference URLs, and a bounded exploitability summary. Federal public data.",
81
+ "description": "(0.005 USDC/call) Looks up a CVE and returns the full NIST NVD vulnerability record. Short alias of cve-lookup: CVSS v3.1 + v2 vectors, severity, CWE class, affected CPE list, references, public-exploit indicator with reference URLs, and a bounded exploitability summary. Federal public data. Use it as a vulnerability lookup, NVD record fetch, CVSS scorer, vuln advisory fetch, exploit-known check, or patch-priority triage for Log4Shell-style records.",
82
82
  "method": "POST",
83
83
  "input_schema": {
84
84
  "type": "object",
@@ -96,7 +96,7 @@ export const TOOLS = [
96
96
  {
97
97
  "name": "cve-lookup",
98
98
  "http_name": "cve-lookup",
99
- "description": "(0.005 USDC/call) CVE lookup / vulnerability database / NVD record fetcher / CVSS scorer / Log4Shell-style advisory inspector / known-exploit checker / CISA KEV adjacent / patch-priority triage / CWE classifier. Pulls the canonical NIST NVD record for a CVE-YYYY-NNNNN identifier and returns description, CVSS v3.1 and v2 vectors plus numeric scores, severity bucket, CWE class, affected CPE list, NVD references, and a public-exploit-known boolean with reference URLs. Includes a bounded plain-English exploitability summary. Federal public data.",
99
+ "description": "(0.005 USDC/call) Looks up a CVE and returns its canonical NIST NVD record: description, CVSS v3.1 and v2 vectors plus numeric scores, severity bucket, CWE class, affected CPE list, NVD references, and a public-exploit-known boolean with reference URLs. Takes a CVE-YYYY-NNNNN identifier and includes a bounded plain-English exploitability summary. Federal public data. Use it as a vulnerability database, NVD record fetcher, CVSS scorer, Log4Shell-style advisory inspector, known-exploit checker, CISA KEV adjacent tool, patch-priority triage aid, or CWE classifier.",
100
100
  "method": "POST",
101
101
  "input_schema": {
102
102
  "type": "object",
@@ -114,7 +114,7 @@ export const TOOLS = [
114
114
  {
115
115
  "name": "db-migration-risk",
116
116
  "http_name": "db-migration-risk",
117
- "description": "(0.02 USDC/call) DB migration risk audit / SQL migration safety check / DROP COLUMN detector / unsafe ALTER TABLE detector / Postgres CREATE INDEX CONCURRENTLY check / Alembic op.drop_* detector / TRUNCATE/DELETE WHERE detector / foreign key NOT VALID check / pre-deploy DB gate. Walks `migrations/`, `prisma/migrations/`, `db/migrate/`, `supabase/migrations/`, `alembic/versions/` and flags destructive DDL, lock-heavy ALTER TABLE, NOT NULL without DEFAULT, plain CREATE INDEX (vs CONCURRENTLY), unbounded TRUNCATE/DELETE, and FK validation without NOT VALID. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ]} for private / agent-workspace use.",
117
+ "description": "(0.02 USDC/call) Audits database migrations for risky SQL before deploy. Walks migrations/, prisma/migrations/, db/migrate/, supabase/migrations/, and alembic/versions/ and flags destructive DDL, lock-heavy ALTER TABLE, NOT NULL without DEFAULT, plain CREATE INDEX (vs CONCURRENTLY), unbounded TRUNCATE/DELETE, and FK validation without NOT VALID. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a SQL migration safety check, DROP COLUMN detector, unsafe ALTER TABLE detector, Postgres CREATE INDEX CONCURRENTLY check, Alembic op.drop_* detector, TRUNCATE/DELETE WHERE detector, foreign key NOT VALID check, or pre-deploy DB gate.",
118
118
  "method": "POST",
119
119
  "input_schema": {
120
120
  "type": "object",
@@ -124,7 +124,7 @@ export const TOOLS = [
124
124
  {
125
125
  "name": "dep-risk-summary",
126
126
  "http_name": "dep-risk-summary",
127
- "description": "(0.03 USDC/call) repo dependency risk audit / package.json + lockfile vetter / unpinned dep detector / transitive dep counter / requirements.txt audit / pyproject dep risk / repo-level supply-chain risk score / Snyk-adjacent / deprecated dep detector / install-script dep detector. Best-effort scan of package.json, pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock (JS); requirements.txt, pyproject.toml, poetry.lock (Python); go.mod, go.sum (Go). Samples 10 alphabetically-first direct deps via npm/PyPI registry for deprecation + install-script signals. Returns 0-100 score, per-finding kind/severity/path/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ]}.",
127
+ "description": "(0.03 USDC/call) Scores dependency risk for a whole repo from its manifests and lockfiles. Best-effort scan of package.json, pnpm-lock.yaml, package-lock.json, yarn.lock, bun.lock (JS); requirements.txt, pyproject.toml, poetry.lock (Python); go.mod, go.sum (Go). Samples 10 alphabetically-first direct deps via npm/PyPI registry for deprecation + install-script signals. Returns 0-100 score, per-finding kind/severity/path/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ...]}. Use it as a package.json + lockfile vetter, unpinned dep detector, transitive dep counter, requirements.txt audit, pyproject dep risk check, deprecated dep detector, install-script dep detector, or Snyk-adjacent repo-level supply-chain risk score.",
128
128
  "method": "POST",
129
129
  "input_schema": {
130
130
  "type": "object",
@@ -134,7 +134,7 @@ export const TOOLS = [
134
134
  {
135
135
  "name": "deploy-config-risk",
136
136
  "http_name": "deploy-config-risk",
137
- "description": "(0.02 USDC/call) deploy config audit / Dockerfile lint / vercel.json hardening / wrangler.toml review / docker-compose.yml safety / fly.toml secrets check / netlify deploy gate / open CORS detector / exposed admin port detector / plaintext secret in env detector / production-readiness deploy gate. Fetches deploy config files (Dockerfile, wrangler.toml, vercel.json, netlify.toml, fly.toml, docker-compose.yml, serverless.yml) and flags open CORS with credentials, exposed admin ports (22/5432/6379/etc), plaintext secrets in inline env, dev/debug mode left enabled, missing healthchecks. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ]} for private / agent-workspace use.",
137
+ "description": "(0.02 USDC/call) Audits deploy configuration files for production risks. Fetches Dockerfile, wrangler.toml, vercel.json, netlify.toml, fly.toml, docker-compose.yml, and serverless.yml and flags open CORS with credentials, exposed admin ports (22/5432/6379/etc), plaintext secrets in inline env, dev/debug mode left enabled, and missing healthchecks. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a Dockerfile lint, vercel.json hardening pass, wrangler.toml review, docker-compose.yml safety check, fly.toml secrets check, netlify deploy gate, open CORS detector, exposed admin port detector, plaintext-secret-in-env detector, or production-readiness deploy gate.",
138
138
  "method": "POST",
139
139
  "input_schema": {
140
140
  "type": "object",
@@ -161,7 +161,7 @@ export const TOOLS = [
161
161
  {
162
162
  "name": "package-risk-npm",
163
163
  "http_name": "package-risk-npm",
164
- "description": "(0.03 USDC/call) npm package risk score / npm supply-chain scanner / typosquat detector / postinstall-script flagger / npm install pre-flight audit / package.json + pnpm-lock.yaml vetter / Snyk-adjacent / Socket.dev-adjacent / pre-install safety gate. Pulls registry metadata + download stats for an npm package (and optional version), checks maintainer count, weekly downloads, install / postinstall script hooks, dependency tree depth, deprecation flag, package age, last-publish recency, and edit-distance to popular package names (typosquat). Returns a 0-10 score, risk_level bucket, contributing factors, typosquat candidate list, and a Venice plain-English summary.",
164
+ "description": "(0.03 USDC/call) Scores supply-chain risk for an npm package before you install it. Pulls registry metadata + download stats for the package (and optional version) and checks maintainer count, weekly downloads, install / postinstall script hooks, dependency tree depth, deprecation flag, package age, last-publish recency, and edit-distance to popular package names (typosquat). Returns a 0-10 score, risk_level bucket, contributing factors, typosquat candidate list, and a Venice plain-English summary. Use it as an npm supply-chain scanner, typosquat detector, postinstall-script flagger, npm install pre-flight audit, package.json + pnpm-lock.yaml vetter, or Snyk-adjacent / Socket.dev-adjacent pre-install safety gate.",
165
165
  "method": "POST",
166
166
  "input_schema": {
167
167
  "type": "object",
@@ -183,7 +183,7 @@ export const TOOLS = [
183
183
  {
184
184
  "name": "production-readiness-score",
185
185
  "http_name": "production-readiness-score",
186
- "description": "(0.10 USDC/call) production readiness score / AI app deploy gate / Prooflayer cluster aggregator / repo prod-risk composite / one-call audit / unified production readiness API / vibe-coded app safety scan. Calls all 5 Prooflayer component scanners (secrets-exposure-check, deploy-config-risk, db-migration-risk, dep-risk-summary, prompt-injection-surface) in parallel in-process and rolls findings into a weighted composite score (default weights: secrets 0.30, migrations 0.20, deps 0.20, deploy 0.15, prompt 0.15). Returns composite 0-100, production_grade (production-ready | needs-review | risky | do-not-ship), per-component sub-scores, top-N deduped findings sorted by severity + score_contribution, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ]}. Optional 'weights' override (each in [0,0.5], proportionally normalized) and 'max_findings' (default 10, cap 50).",
186
+ "description": "(0.10 USDC/call) Scores production readiness for a repo in one call, aggregating the Prooflayer cluster. Calls all 5 component scanners (secrets-exposure-check, deploy-config-risk, db-migration-risk, dep-risk-summary, prompt-injection-surface) in parallel in-process and rolls findings into a weighted composite score (default weights: secrets 0.30, migrations 0.20, deps 0.20, deploy 0.15, prompt 0.15). Returns composite 0-100, production_grade (production-ready | needs-review | risky | do-not-ship), per-component sub-scores, top-N deduped findings sorted by severity + score_contribution, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} or {files: [{path, content}, ...]}. Optional 'weights' override (each in [0,0.5], proportionally normalized) and 'max_findings' (default 10, cap 50). Use it as an AI app deploy gate, repo prod-risk composite, one-call audit, unified production readiness API, or vibe-coded app safety scan.",
187
187
  "method": "POST",
188
188
  "input_schema": {
189
189
  "type": "object",
@@ -193,7 +193,7 @@ export const TOOLS = [
193
193
  {
194
194
  "name": "prompt-injection-surface",
195
195
  "http_name": "prompt-injection-surface",
196
- "description": "(0.03 USDC/call) AI prompt injection surface scanner / LLM call-site audit / unsanitized user input in prompts detector / system-message mixing flag / unbounded completion detector / AI app safety scan / pre-deploy AI risk gate. Walks .ts/.tsx/.js/.jsx/.py/.mjs/.cjs source files, locates LLM SDK call sites (anthropic, openai, @ai-sdk/*, google generative), and flags user input flowing into prompts without sanitization, calls without max_tokens caps, system/user prompt mixing, and LLM output used unvalidated in fetch/exec/eval. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} (tree-walk, capped 500 files) or {files: [{path, content}, ]}.",
196
+ "description": "(0.03 USDC/call) Scans AI app source code for prompt injection risk at LLM call sites. Walks .ts/.tsx/.js/.jsx/.py/.mjs/.cjs source files, locates LLM SDK call sites (anthropic, openai, @ai-sdk/*, google generative), and flags user input flowing into prompts without sanitization, calls without max_tokens caps, system/user prompt mixing, and LLM output used unvalidated in fetch/exec/eval. Returns 0-100 score, per-finding kind/severity/path/line/evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} (tree-walk, capped 500 files) or {files: [{path, content}, ...]}. Use it as an LLM call-site audit, unsanitized-user-input-in-prompts detector, system-message mixing flag, unbounded completion detector, AI app safety scan, or pre-deploy AI risk gate.",
197
197
  "method": "POST",
198
198
  "input_schema": {
199
199
  "type": "object",
@@ -203,7 +203,7 @@ export const TOOLS = [
203
203
  {
204
204
  "name": "pypi-package-risk",
205
205
  "http_name": "pypi-package-risk",
206
- "description": "(0.01 USDC/call) PyPI package risk score / Python supply-chain scanner / pip dependency vetter / typosquat detector / pre-install audit / Python-package safety check / pyproject.toml / requirements.txt vetter / poetry + uv pre-install gate. Pulls metadata + release history from pypi.org for a package (and optional version), evaluates age, recent download volume, maintainer count, post-install hook presence, dependency depth, deprecation flags, last-update recency, and string-distance to popular packages (typosquat). Returns a numeric score (0-10), risk_level bucket, contributing factor list, and a Venice-LLM plain-English risk summary.",
206
+ "description": "(0.01 USDC/call) Scores the supply-chain risk of a PyPI package before you install it. Pulls metadata + release history from pypi.org for a package (and optional version), evaluating age, recent download volume, maintainer count, post-install hook presence, dependency depth, deprecation flags, last-update recency, and string-distance to popular packages (typosquat). Returns a numeric score (0-10), risk_level bucket, contributing factor list, and an AI-written plain-English risk summary from Venice. Use it as a Python supply-chain scanner, pip dependency vetter, typosquat detector, pre-install audit, Python-package safety check, pyproject.toml / requirements.txt vetter, or poetry + uv pre-install gate.",
207
207
  "method": "POST",
208
208
  "input_schema": {
209
209
  "type": "object",
@@ -225,7 +225,7 @@ export const TOOLS = [
225
225
  {
226
226
  "name": "secrets-exposure-check",
227
227
  "http_name": "secrets-exposure-check",
228
- "description": "(0.02 USDC/call) secrets exposure scan / hardcoded API key detector / .env-committed-key audit / Next.js client env leak detector / pre-deploy secret gate. Fetches top-level config files (.env*, wrangler.toml, vercel.json, next.config.*, package.json, etc.) and scans for hardcoded AWS/OpenAI/Anthropic/Stripe/GitHub keys, private keys, DB URLs with passwords, JWT secrets, weak values in .env.example, and server-only env vars accidentally exposed via NEXT_PUBLIC_. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ]} for private / agent-workspace use.",
228
+ "description": "(0.02 USDC/call) Scans project config files for hardcoded secrets before you deploy. Fetches top-level config files (.env*, wrangler.toml, vercel.json, next.config.*, package.json, etc.) and scans for hardcoded AWS/OpenAI/Anthropic/Stripe/GitHub keys, private keys, DB URLs with passwords, JWT secrets, weak values in .env.example, and server-only env vars accidentally exposed via NEXT_PUBLIC_. Returns 0-100 score, per-finding kind/severity/path/line/redacted-evidence/recommendation, and a Venice plain-English verdict. Dual input: {repo: 'owner/name'} for public GitHub or {files: [{path, content}, ...]} for private / agent-workspace use. Use it as a secrets exposure scan, hardcoded API key detector, .env-committed-key audit, Next.js client env leak detector, or pre-deploy secret gate.",
229
229
  "method": "POST",
230
230
  "input_schema": {
231
231
  "type": "object",
@@ -235,7 +235,7 @@ export const TOOLS = [
235
235
  {
236
236
  "name": "vendor-questionnaire-draft",
237
237
  "http_name": "vendor-questionnaire-draft",
238
- "description": "(0.08 USDC/call) Vendor security questionnaire draft API / security questionnaire answerer / SOC 2 evidence answer helper / vendor due diligence response builder. Takes questionnaire text plus supplied evidence snippets and drafts only evidence-supported answers. Unsupported questions are marked needs_evidence instead of invented. Useful for founders and agents answering customer security reviews without leaking private repo data or making unsupported compliance claims.",
238
+ "description": "(0.08 USDC/call) Drafts vendor security questionnaire answers from evidence you supply. Takes questionnaire text plus evidence snippets and drafts only evidence-supported answers; unsupported questions are marked needs_evidence instead of invented. Useful for founders and agents answering customer security reviews without leaking private repo data or making unsupported compliance claims. Use it as a security questionnaire answerer, SOC 2 evidence answer helper, or vendor due diligence response builder.",
239
239
  "method": "POST",
240
240
  "input_schema": {
241
241
  "type": "object",
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@agentutility/mcp-prooflayer",
3
- "version": "0.2.1",
3
+ "version": "0.2.3",
4
4
  "description": "MCP server for the @agentutility prooflayer cluster — pay-per-call x402 tools, no API keys, USDC on Base.",
5
5
  "license": "MIT",
6
6
  "type": "module",